b'        U.S. Department of Energy\n        Office of Inspector General\n        Office of Audit Services\n\n\n\n\nAudit Report\n\nManagement of the Department\'s\nPublicly Accessible Websites\n\n\n\n\nDOE/IG-0789                           March 2008\n\x0c                             Department of Energy\n                                 Washington, DC 2 0 5 8 5\n                                  M a r c h 1 3 , 2008\n\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "Management of the\n                         Department\'s Publicly Accessible Websites"\n\nBACKGROUND\n\nThe Department of Energy and its prime contractors operate hundreds of publicly\naccessible websites. These sites provide a wide range of information about the\nDepartment\'s energy, science, defense and environmental missions. Ensuring that these\nwebsites are secure and that infonnation is current and readily accessible is vital to efforts\nto provide one-stop, on-line access to citizens; this includes the objectives in the arena\nestablished as part of a current Presidential initiative. In 2004, the Office of Management\nand Budget issued a memorandum detailing Federal website requirements, such as\naccessibility guidelines, set forth in Section 508 of the Rehabilitation Act, and specific\nwebsite requirements outlined in the E-Governnzent and Government Performance and\nReszllts Acts.\n\nVirtually all interested parties recognize that facilitating con~municationwith the\ncitizenry is in the national interest; however, the unavoidable fact is that such\ncommunication may well impact agency cyber security vulnerabilities. In our recent\nreport on The Departlnent\'s Unclasszfied Cyber Security Progranz - 2007 (DOEIIG-0776,\nSeptember 2007), we reported on unclassified Department networks on which publicly\naccessible web servers were not always properly secured. Recently, both Federal and\ncommercial websites have fallen victim to widely publicized attacks and data exfiltration.\nBecause of increasingly sophisticated attacks and the risk of harm from improperly\nsecured web servers and sites, we initiated this audit to deternline whether the\nDepartment was maintaining publicly accessible websites that were secure and managed\nin accordance with Federal requirements.\n\nRESULTS OF AUDIT\n\nOur audit identified several opportunities to improve the security and management of the\nDepartment\'s publicly accessible websites. Specifically:\n\n       We identified over 50 significant cyber security incidents in the last three fiscal\n       years, about half involving the defacement of web pages, which, in our judgment,\n       could have been prevented had proper security controls been in place;\n\n\n\n\n                                429   Printed with soy   111kon   recycled paper\n\x0c       Content on publicly accessible web servers was not always controlled and\n       reviewed periodically, contributing to an additional eight incidents which\n       involved the exposure of personally identifiable infornlation to unauthorized or\n       malicious sources; and,\n\n       Most of the organizations reviewed also had not incorporated\n       contingency/emergency planning features, provided accessibility for individuals\n       with disabilities, and/or disabled unneeded computer services for their publicly\n       accessible websites - factors that decreased the utility and increased the risk of\n       malicious damage to those websites.\n\nWe concluded that the risk that the Department\'s publicly accessible websites and the\ndata they contained could be conipromised was higher than acceptable. A lack of\nguidance from Headquarters and deficiencies in site-level management and control\ncontributed to: ( 1 ) an unnecessarily risky security posture; and (2), publicly accessible\nwebsites that did not meet Federal accessibility requirements or contingency planning\nand emergency response best practices. For example, while the Office of the Chief\nInformation Officer recognized the need for web security tools and implementation\nguidance, action had not been taken to procure the necessary tools. And, guidance\ndocuments had yet to be finalized and promulgated. None of the sites reviewed had\nincorporated security configuration requirements into their website policies and most had\nnot established a process to review content posted on websites.\n\nTo their credit, certain of the Department\'s sites had taken actions to inlprove the security\nand utility of their publicly accessible websites. In particular, four field sites [Oak Ridge\nNational Laboratory, Los Alamos National Laboratory (LANL), Livermore National\nLaboratory and the Lawrence Berkeley National Laboratory (Berkeley)] had\nimplemented proactive techniques to scan their web applications to detect potential\nvulnerabilities to help prevent successful attacks. In addition, three sites (LANL,\nBerkeley, and Sandia National Laboratories), had developed websites specifically for use\nduring a national emergency, such as a hurricane, earthquake, or forest fire. All sites\nreviewed had also taken action to reduce the risk that site-wide networks would not be\ncompromised through successful exploits of publicly accessible websites. These actions\nare beneficial; however, additional emphasis is needed in these areas. To that end, we\nmade recommendations that, if implemented, should enhance the Department\'s ability to\nsecure and manage its public websites.\n\nDue to security considerations, information on specific vulnerabilities and locations has\nbeen omitted from this report. Management officials at sites evaluated were provided\nwith detailed information regarding identified vulnerabilities.\n\nMANAGEMENT REACTION\n\nManagement agreed with the information contained within the report and concurred with\neach of the specific recommendations. Management stated that measures were being\ntaken to ensure that the issues highlighted in our report are addressed. The National\nNuclear Security Administration\'s (NNSA) comments, however, were not fully\nresponsive in that they only addressed websites at two NNSA locations - websites that, at\nthe time of our testing, satisfied most requirements. NNSA did not comment on\n\x0cproblems we identified with contractor-operated web sites. Where appropriate, we\nincorporated management\'s suggestions into the body of the report. Relevant comments\nare included in Appendix 3.\n\nAttachment\n\ncc: Deputy Secretary\n    Under Secretary of Energy\n    Under Secretary for Science\n    Administrator, National Nuclear Security Administration\n    Chief Information Officer\n    Chief of Staff\n\x0cREPORT ON MANAGEMENT OF THE DEPARTMENT\'S PUBLICLY\nACCESSIBLE WEBSITES\n\nTABLE OF\nCONTENTS\n\n\n    Website Management\n\n    Details of Finding ....................................................................................................1\n\n    Recommendations and Comments...........................................................................7\n\n\n    Appendices\n\n    1. Objective, Scope, and Methodology..................................................................9\n\n    2. Related Reports................................................................................................11\n\n    3. Management Comments ..................................................................................12\n\x0cMANAGEMENT OF THE DEPARTMENT\'S PUBLICLY\nACCESSIBLE WEBSITES\n\nSecurity and          The Department of Energy (Department) did not always\nManagement            ensure that its publicly accessible websites were secure and\nProcesses             that key Federal requirements regarding website\n                      management were enforced. Despite specific requirements\n                      issued by the Office of Management and Budget (OMB)\n                      and the National Institute for Standards and Technology\n                      (NIST), the Department had not adequately addressed\n                      security configuration and management issues related to its\n                      publicly accessible web servers.\n\n                                            Website Security\n\n                      Sites had not implemented security measures necessary to\n                      help reduce the risk of successful attacks on their publicly\n                      accessible websites. In particular, our review identified a\n                      number of website security incidents that could likely have\n                      been prevented or ameliorated by the application of\n                      effective security controls. The Department and its field\n                      sites have reported about 60 incidents involving public web\n                      servers to the Department\'s Computer Incident Advisory\n                      Capability (CIAC) over the past 3 years (with 22 occurring\n                      in the last fiscal year). The majority of these events could\n                      likely have been prevented by ensuring security controls\n                      were in place and that known web vulnerabilities were\n                      properly managed and/or addressed. Approximately half of\n                      the reported incidents resulted in malicious defacement of\n                      the webpage. For example, a recent incident at the\n                      Department\'s Brookhaven National Laboratory was\n                      reported where hackers modified the website to redirect\n                      users to pornography sites.\n\n                      Sites also had not always controlled posted information or\n                      performed regular reviews of information posted to their\n                      public websites. For example, in accordance with Federal\n                      requirements, the Department\'s Chief Information Officer\n                      (CIO) requires that appropriate safeguards be in place to\n                      protect the inadvertent exposure of personally identifiable\n                      information (PII). Despite these requirements, we noted\n                      that eight of the incidents in the past two years involved PII\n                      or other sensitive information which was improperly\n                      released through public websites, including names, social\n                      security numbers, and credit card information. In one\n                      instance, personal information for more than 60 individuals\n                      was inappropriately posted to a publicly accessible website.\n\n________________________________________________________________\nPage 1                                            Details of Finding\n\x0c                      Most of the sites and organizations reviewed did not always\n                      understand and evaluate the risk to their web servers and\n                      formally grant them the authority to operate through a\n                      process known as certification and accreditation (C&A).\n                      Through the C&A process, risks to the network and\n                      systems are analyzed and security controls are tested. Any\n                      residual risk must be accepted by management prior to\n                      putting the system in operation. In one instance, however,\n                      a site permitted the operation of numerous servers housing\n                      publicly accessible websites on a network that had not\n                      received proper authority to operate. At most sites, system\n                      security plans also did not specifically identify the risk of\n                      public access to the web servers by discussing controls that\n                      had been implemented to mitigate the heightened risk of\n                      such public access. The Department\'s continuing problems\n                      with system C&A were detailed in our report on the\n                      Certification and Accreditation of Unclassified Information\n                      Systems (DOE/IG-0752, January 2007) and were most\n                      recently highlighted in our Evaluation Report on the\n                      Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2007\n                      (DOE/IG-0776, September 2007).\n\n                      We also noted that Headquarters organizations had very\n                      limited knowledge of the numerous public websites in\n                      operation complex-wide. Specifically, the Department was\n                      unable to provide us with an inventory of active public\n                      websites despite an E-Government Act requirement for\n                      organizations to maintain that information. The importance\n                      of such an inventory was illustrated during the\n                      Department\'s response to a 2004 incident related to Official\n                      Use Only (OUO) data being leaked to a public website. In\n                      response, the CIO asked CIAC to scan all Department\n                      public websites. However, a CIAC official told us that they\n                      had to abandon this project because "thousands" of\n                      websites were identified, making the effort very time\n                      consuming, labor intensive, and, according to them,\n                      virtually impossible to complete.\n\n                      Two of the 12 field sites reviewed allowed computer\n                      services that were unnecessary to operate a public website\n                      \xe2\x80\x93 a practice that increased the websites\' vulnerability to\n                      exploits and attacks. NIST Special Publication (SP) 800-\n                      44, Guidelines on Securing Public Web Servers, states that\n                      each additional service enabled on a web server increases\n                      the risk of server compromise as it provides an additional\n                      avenue of attack. Although not specifically needed for site\n                      operation, we identified one site that allowed users,\n________________________________________________________________\nPage 2                                            Details of Finding\n\x0c                      including the public, to transfer files anonymously from\n                      and potentially to 14 of its public web servers. Access\n                      controls to ensure that users could not post data to the\n                      server anonymously \xe2\x80\x93 a practice highly susceptible to\n                      malicious use \xe2\x80\x93 were not monitored by the site\'s cyber\n                      security group. Rather, responsibility was placed with\n                      system owners to properly secure the server, individuals\n                      who in many instances did not have the technical\n                      background necessary to maintain awareness of current\n                      website vulnerabilities.\n\n                                  Website Management Requirements\n\n                      We also identified several opportunities to improve the\n                      utility and usefulness of the Department\'s public web\n                      servers. For example, nine sites were not utilizing their\n                      public websites as a means to provide information to\n                      employees and the general public during emergency or\n                      disaster situations. NIST SP 800-34, Contingency\n                      Planning Guide for Information Technology Systems, states\n                      that the Internet is an effective notification tool during a\n                      disaster situation. In addition, best practices identified by\n                      the Web Managers Advisory Council, an organization\n                      made up of senior web managers from the Federal\n                      government, recommend that organizations plan how their\n                      website will communicate vital information during an\n                      emergency and what services will be available to the\n                      public. Action taken by the Los Alamos National\n                      Laboratory (LANL) following the Cerro Grande fire in\n                      2000 serves as an example of proactive implementation of\n                      this guidance. LANL developed a website that can be used\n                      to provide information and updates to employees and the\n                      general public in future emergency situations. Sandia and\n                      Lawrence Berkeley National Laboratories (Berkeley) had\n                      also developed similar procedures.\n\n                      Webpage scans performed during the audit also identified\n                      several issues regarding the accessibility of the\n                      Department\'s websites to disabled individuals. For\n                      example, almost half of the 97 webpages reviewed were not\n                      coded to allow people utilizing assistive technologies (such\n                      as screen readers) to properly view or fill in forms on the\n                      page. In an effort to make information accessible to\n                      individuals with disabilities, including employees or\n                      members of the general public, Section 508 of the\n                      Rehabilitation Act of 1973 states that information\n\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                      technology (IT) utilized by Federal agencies should provide\n                      a level of access and use comparable to those without\n                      disabilities.\n\nAttention and         The Department\'s public websites were not always secure\nControl               or managed in accordance with Federal requirements due to\n                      a lack of emphasis and attention from Headquarters and\n                      proper management and control at the field site-level.\n\n                                        Headquarters Emphasis\n\n                      Despite OMB\'s emphasis on public website security and\n                      management, the Department had not issued applicable\n                      guidance at the Headquarters level. In response to OMB\n                      Memorandum 05-04, which outlined Federal policies for\n                      publicly accessible websites, the CIO issued memoranda in\n                      2005 and 2006 that reiterated the OMB requirements but\n                      did not provide implementing guidance or expected\n                      timeframes for implementation. Following those\n                      memoranda, the CIO\'s 2006 plan for the Revitalization of\n                      the Department of Energy Cyber Security Program (the\n                      Revitalization Plan) recognized the need for clear policy, as\n                      well as tools, to facilitate webpage analysis. To that end,\n                      the plan identified two deliverables - guidance on website\n                      creation and management and enterprise licenses for\n                      website analysis tools. While a web guidance manual was\n                      drafted in 2005 as part of a separate initiative, it was never\n                      approved and released. In 2007, in response to the\n                      Revitalization Plan, a second manual was drafted, but had\n                      not been issued at the time of our review. Our review of\n                      the most recent draft guidance found that while it addresses\n                      the key areas of information security and operations and\n                      maintenance of Department public websites, it lacks\n                      specificity and a timeframe for implementation. In\n                      addition, the Department had not issued guidance\n                      pertaining to implementation of requirements outlined in\n                      Section 508 of the Rehabilitation Act. CIO officials stated\n                      that, to date, no action had been taken to acquire and\n                      provide website analysis tools.\n\n                                          Site-Level Controls\n\n                      While most sites had local policies regarding the\n                      management of their publicly accessible websites, only two\n                      had a mechanism in place to ensure regular review for\n                      adherence to either site-level or Federal requirements.\n                      Most of the incidents that we identified, as reported through\n________________________________________________________________\nPage 4                                            Details of Finding\n\x0c                      CIAC, were the result of hackers taking advantage of\n                      vulnerable webpages and poorly configured servers. In\n                      addition, five of the sites maintained minimal control over\n                      the development of public websites residing on their\n                      network, allowing numerous websites to be maintained by\n                      multiple site-level organizations or departments. For\n                      example, one site had over 140 public web servers\n                      managed by over 30 different departments. This practice\n                      makes it difficult for the sites\' information technology (IT)\n                      groups to ensure that all necessary controls are in place and\n                      content is reviewed on servers not directly under their\n                      cognizance. It also requires the purchase and maintenance\n                      of numerous servers to host websites.\n\n                      Officials at Berkeley indicated that centralizing the\n                      management of their public websites to solve these types of\n                      issues could hinder the scientific process at the site.\n                      However, Oak Ridge National Laboratory (ORNL) \xe2\x80\x93 a site\n                      with missions very similar to those at Berkeley \xe2\x80\x93 recently\n                      completed an application standardization effort, whereby\n                      all legacy systems were transitioned to central management\n                      in an effort to control costs and reduce risks to the site.\n                      ORNL officials, citing expected cost and time savings,\n                      made the decision to consolidate the site\'s numerous\n                      independent websites and stated that consolidating all\n                      websites under the control of the site\'s IT group enhanced\n                      security of the servers. This effort allowed ORNL to\n                      balance the need for scientific collaboration with security\n                      risks.\n\n                      Further, while we noted that all sites reviewed were\n                      performing network-level vulnerability scans, only 4 of 11\n                      field sites and 1 program office performed regular\n                      application-level scanning of their public websites, a\n                      practice that could disclose website-specific vulnerabilities.\n                      Scanning and analysis of the results could help sites\n                      identify webpages or applications that were not securely\n                      programmed or configured. Our research into these tools\n                      found that they can cost as much as $40,000 per user.\n                      Therefore, the provision of an enterprise license for\n                      scanning software, as called for in the Revitalization Plan,\n                      could facilitate the field sites performing this type of\n                      scanning.\n\nWebsite Security      Without improvements in awareness and control of its\nand Opportunities     numerous public websites, the Department faces increased\nfor Saving            risk of exploits that could expose it to potential loss of\n________________________________________________________________\nPage 5                                            Details of Finding\n\x0c                      critical information or embarrassment and increased cost of\n                      managing and maintaining its websites. Inconsistent and\n                      weak management and control over web servers may result\n                      in improperly configured servers, increasing the risk of\n                      defacement or compromise of sensitive information.\n                      Without having performed the C&A process on public web\n                      servers, for example, the Department has no assurance that\n                      security controls are in place and operating as intended. As\n                      a result, the servers could be vulnerable to attack by\n                      malicious persons. In 2006, the Systems Administration\n                      Networking and Security Institute named web applications\n                      to its annual Top 20 Internet Security Attack Targets. In\n                      addition, CIAC officials stated that approximately 70-80\n                      percent of the successful intrusion reports they received\n                      involved web applications.\n\n                      Further, uncontrolled proliferation of web servers makes it\n                      difficult to perform content reviews to control posted\n                      information, increasing the risk that sensitive or OUO\n                      information may be inadvertently or deliberately posted\n                      and released to the general public. For example, the\n                      Revitalization Plan noted the potential for the creation of\n                      sensitive data by combining non-sensitive data from\n                      multiple websites. However, without an inventory of\n                      websites, a review for this type of vulnerability is virtually\n                      impossible for the Department to undertake. Furthermore,\n                      we noted that only two of the eight instances of PII released\n                      on public websites were identified internally as a result of\n                      regular content reviews.\n\n                      Finally, decentralized management of publicly accessible\n                      websites can result in higher costs due to increased staff\n                      needed to develop and maintain them and the numerous\n                      servers needed to host them. By centralizing website\n                      management at the site or data center level the\n                      Department\'s sites could consolidate existing websites onto\n                      fewer servers, thereby saving the cost of the server and\n                      potentially reducing the number of staff needed to manage\n                      and maintain them. At just 4 of the 12 sites we reviewed,\n                      maintenance costs were significant and amounted to\n                      approximately $3.5 million over the past 3 years. Those\n                      costs do not include forensic and recovery costs incurred\n                      when vulnerabilities are exploited.\n\n\n\n\n________________________________________________________________\nPage 6                                            Details of Finding\n\x0cRECOMMENDATIONS      To address the issues identified in this report, we\n                     recommended that the Department and the NNSA CIO\'s, in\n                     coordination with the Under Secretary of Energy and the\n                     Under Secretary for Science:\n\n                          1. Develop Department policy and implementing\n                             guidance that specifically addresses the key areas\n                             of information security, operations and\n                             maintenance, and accessibility of publicly\n                             accessible websites.\n\n                     To enhance the security and control over the Department\'s\n                     publicly accessible websites, we further recommend that\n                     the Administrator, NNSA, the Under Secretary of Energy\n                     and the Under Secretary for Science:\n\n                          2. Direct field sites to evaluate the large number of\n                             publicly accessible websites being maintained and\n                             take action to consolidate them, where\n                             appropriate; and,\n\n                          3. Ensure that publicly accessible website\n                             development and postings at field sites are\n                             actively controlled and monitored by field site\n                             management.\n\nMANAGEMENT           Management agreed with the information contained within the\nREACTION             report and concurred with each of the specific\n                     recommendations. The Department\'s Office of Chief\n                     Information Officer (OCIO) provided comments stating\n                     that actions would be taken to enhance the security and\n                     management of the Department\'s publicly accessible\n                     websites. Specifically, a revised directive containing\n                     website development and management requirements,\n                     responsibilities, and best practices is currently under review\n                     in the Department\'s directive process. In addition, the\n                     OCIO plans to develop guidance for automated review of\n                     websites and servers by the end of Fiscal Year 2008.\n                     Further, the OCIO is in the process of compiling website\n                     domain information into a single database, which will serve\n                     as the Department\'s website inventory, in accordance with\n                     the E-Government Act. This action is expected to be\n                     completed by June 2008.\n\n\n\n\n________________________________________________________________\nPage 7                              Recommendations and Comments\n\x0c                     The Under Secretary for Science provided comments on the\n                     report that were incorporated into the response provided by\n                     the CIO. Comments provided by NNSA indicated\n                     concurrence with the report\'s recommendations but only\n                     reflected the status of NNSA\'s websites at its Federal\n                     establishments, specifically Headquarters and the NNSA\n                     Service Center.\n\nAUDITOR              Management\'s comments are generally responsive to our\nCOMMENTS             recommendations. NNSA\'s comments were not fully\n                     responsive, however, in that they only addressed websites\n                     at 2 NNSA locations \xe2\x80\x93 websites that, at the time of our\n                     testing, satisfied most requirements. NNSA\'s comments\n                     did not discuss the publicly accessible website management\n                     problems we observed at NNSA field sites. Specifically,\n                     they did not mention or provide proposed corrective actions\n                     for issues with network certification and accreditation,\n                     content posting and review, and unnecessary services on\n                     web servers at NNSA sites. These issues are more fully\n                     described in the body of the report. Subsequent to our\n                     receipt of the comments, an NNSA official acknowledged\n                     that the comments did not cover contractor-managed\n                     websites. Since the comments do not directly relate to the\n                     issues described in this report, they have been omitted.\n\n\n\n\n________________________________________________________________\nPage 8                                                 Comments\n\x0cAppendix 1\n\nOBJECTIVE             The objective of this audit was to determine whether the\n                      Department of Energy (Department) is maintaining public\n                      websites that are secure and managed in accordance with\n                      Federal requirements.\n\nSCOPE                 The audit included publicly accessible websites that did not\n                      require user authentication.\n\n                      The audit was performed between September 2006 and\n                      December 2007 at Departmental Headquarters in\n                      Washington, DC, and Germantown, MD; the National\n                      Nuclear Security Administration Service Center and Sandia\n                      National Laboratory in Albuquerque, New Mexico; Los\n                      Alamos National Laboratory in Los Alamos, New Mexico;\n                      Lawrence Livermore National Laboratory in Livermore,\n                      California; Lawrence Berkeley Laboratory in Berkeley,\n                      California; Stanford Linear Accelerator Center in Menlo\n                      Park, California; and Oak Ridge National Laboratory, the\n                      Oak Ridge Office, the Y-12 National Security Complex,\n                      the Office of Scientific and Technical Information, and the\n                      East Tennessee Technology Park in Oak Ridge, Tennessee.\n\nMETHODOLOGY           To accomplish our objective, we:\n\n                         \xe2\x80\xa2   Reviewed applicable laws and directives pertaining\n                             to management and security of Federal public\n                             websites;\n\n                         \xe2\x80\xa2   Reviewed applicable standards and guidance issued\n                             by the National Institute of Standards and\n                             Technology;\n\n                         \xe2\x80\xa2   Assessed the Department\'s and its field sites\' public\n                             website management and web server security\n                             practices;\n\n                         \xe2\x80\xa2   Scanned a sample of the Department\'s publicly\n                             accessible webpages for compliance with\n                             requirements pertaining to accessibility and privacy;\n\n                         \xe2\x80\xa2   Held discussions with field site officials and\n                             officials from various Departmental offices; and,\n\n                         \xe2\x80\xa2   Reviewed reports by the Office of Inspector\n                             General and the Government Accountability Office.\n\n\n________________________________________________________________\nPage 9                             Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                      We also evaluated the Department\'s implementation of the\n                      Government Performance and Results Act and determined\n                      that it had established performance measures for website\n                      management. We did not rely solely on computer-\n                      processed data to satisfy our objectives. However,\n                      computer-assisted audit tools were used to perform scans of\n                      various webpages. We validated the results of the scans by\n                      performing other procedures to satisfy ourselves as to the\n                      reliability and competence of the data produced by the\n                      tests.\n\n                      We conducted this performance audit in accordance with\n                      generally-accepted Government auditing standards. Those\n                      standards require that we plan and perform the audit to\n                      obtain sufficient, appropriate evidence to provide a\n                      reasonable basis for our findings and conclusions based on\n                      our audit objectives. We believe that the evidence obtained\n                      provides a reasonable basis for our findings and\n                      conclusions based on our audit objectives. The audit\n                      included tests of internal controls regarding the\n                      management and security of public websites. Because our\n                      review was limited, it would not necessarily have disclosed\n                      all internal control deficiencies that may have existed at the\n                      time of our evaluation.\n\n                      Management waived an exit conference.\n\n\n\n\n________________________________________________________________\nPage 10                            Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                               RELATED REPORTS\n\n\n  \xe2\x80\xa2   Evaluation Report on the Department\'s Unclassified Cyber Security Program \xe2\x80\x93\n      2007 (DOE/IG-0776, September 2007). The Department of Energy (Department)\n      continued to have problems in the areas of system certification and accreditation,\n      system inventories, contingency planning, access controls, and the protection of\n      personally identifiable information. The problems cited occurred, at least in part,\n      because Headquarters programs and field sites had not fully developed or\n      implemented policies that incorporated all Federal and Departmental cyber\n      security requirements. In addition, the lack of oversight at various levels of the\n      Department, including effective use of Plans of Action & Milestones, contributed\n      to the weaknesses identified. Therefore, without an increased focus on protecting\n      its critical technology resources, the risk of compromise to the Department\'s\n      information and systems remained higher than necessary.\n\n  \xe2\x80\xa2   Audit Report on Certification and Accreditation of Unclassified Information\n      Systems (DOE/IG-0752, January 2007). Despite recent efforts by the Department\n      to enhance cyber security guidance, many systems were not properly certified and\n      accredited prior to becoming operational. For example, of the 14 sites reviewed,\n      9 sites had not properly assessed the potential risk to their systems and had not\n      adequately tested and evaluated security controls. In many instances, senior\n      agency officials accredited systems even though they had not been provided with\n      adequate or complete information. These issues occurred because the Office of\n      the Chief Information Officer and program elements did not adequately review\n      completed activities for quality or compliance with requirements. Therefore, the\n      Department lacked assurance that its information systems and the data they\n      contained were secure.\n\n  \xe2\x80\xa2   Audit Report on Internet Privacy (DOE-IG 0493, February 2001). Of the 93\n      Department websites reviewed, approximately 12 percent impermissibly\n      employed persistent cookies to collect information from site visitors and 30\n      percent did not satisfy Federal privacy disclosure requirements. Since the\n      Department\'s data collection methods were not uniformly consistent with\n      applicable regulations and lacked clear and current implementing guidance, the\n      Department could not assure that the privacy of its website visitors was properly\n      protected in all instances.\n\n\n\n\n________________________________________________________________\nPage 11                                           Related Reports\n\x0cAppendix 3\n\n\n\n\n________________________________________________________________\nPage 12                                     Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 13                                     Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 14                                     Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 15                                     Management Comments\n\x0c                                                             IG Report No. DOE/IG-0789\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'